5c64a792b6
libsdl3: upgrade 3.2.28 -> 3.2.30
...
Changelog:
https://github.com/libsdl-org/SDL/releases/tag/release-3.2.30
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit a524aaddacankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:15:19 +05:30
351df9d54e
libjxl: Fix build error with arm and musl
...
Build fails for qemuarm with musl with following error:
/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/sources/libjxl-0.11.1/lib/jxl/convolve_separable5.cc
| error: out of range pc-relative fixup value
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 63ae47a70dankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:15:19 +05:30
6cb598129d
mozjs-128: Fix build error with arm and musl
...
Build fails for qemuarm with musl with following error:
mozglue/misc/StackWalk.o: in function `unwind_callback(_Unwind_Context*, void*)':
| /usr/src/debug/mozjs-128/128.5.2/mozglue/misc/StackWalk.cpp:810:(.text._ZL15unwind_callbackP15_Unwind_ContextPv+0x4): undefined reference to `_Unwind_GetIP'
Referenced commit[1] for the fix, also refreshed patches.
[1] https://github.com/OSSystems/meta-browser/commit/bb8662912354dae13634c0ec35c3803c344b1e72
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 30942cebe8ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:15:18 +05:30
91193c97a3
libsdl3-image: upgrade 3.2.4 -> 3.2.6
...
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Release Notes:
https://github.com/libsdl-org/SDL_image/releases/tag/release-3.2.6
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:15:18 +05:30
6d1c5be67b
smarty: extend CVE_PRODUCT
...
Some CVEs assign smarty-php as the vendor to the corresponding CPE.
E.g CVE-2024-35226[1] is tracked with smarty-php:smarty by mitre
(NVD tracks it without CPE).
[1]: https://cveawg.mitre.org/api/cve/CVE-2024-35226
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 1aee6a403cankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:15:18 +05:30
f3407694b8
vboxguestdrivers: Upgrade to 7.2.4
...
This is a maintenance release. The following items were fixed or added:
GUI: Fixed VirtualBox VM Manager crash when host was resuming from sleep (github:gh-121, github:gh-170)
GUI: Updated native language support for Traditional Chinese, Greek, Swedish, Hungarian and Indonesian translations
NAT: Fixed issue when multiple port forwarding rules affected NAT functionality (github:gh-232)
Linux host and guest: Introduced initial support for kernel 6.18
Linux Guest Additions: Introduced additional fixes for RHEL 9.6 and 9.7 kernels (github:GH-12)
Windows Guest Additions: Introduced additional fixes for issue when installation was failing in Windows XP SP2 guest (github:GH-142)
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Cc: Bruce Ashfield <bruce.ashfield@gmail.com >
(cherry picked from commit 0ecf2814b2ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:15:17 +05:30
1b5228dcce
libdecor: upgrade 0.2.4 -> 0.2.5
...
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Changelog:
https://gitlab.freedesktop.org/libdecor/libdecor/-/compare/0.2.4...0.2.5?from_project_id=18349
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:15:17 +05:30
d879c37905
cryptsetup: upgrade 2.8.1 -> 2.8.3
...
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 6f41c5872dankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:15:16 +05:30
5508b827fb
nodejs: remove extra CVE_PRODUCT
...
CVE_PRODUCT is specified twice - the second instance only duplicates one
value from the first instance.
Remove this extra CVE_PRODUCT.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 6ff9252484ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:15:16 +05:30
441cf7db11
php: upgrade 8.4.16 -> 8.4.17
...
Changelog: https://www.php.net/ChangeLog-8.php#8.4.17
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:15:15 +05:30
4beb45b615
microsoft-gsl: upgrade 4.2.0 -> 4.2.1
...
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 1d33fb39d9ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:15:15 +05:30
cce0f2d7cd
vulkan-cts: upgrade 1.4.4.0 -> 1.4.4.2
...
Upgrade Vulkan CTS to the point release, fixing several tests. While we
are at it, refresh Vulkan-Video-Samples patches.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 374949c531ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:15:14 +05:30
a1a87ebf04
minicoredumper: fix 2038 year problem in timestamp handling
...
The minicoredumper has multiple 2038 year problems where 'long' type
variables and strtol() function calls cause overflow on 32-bit systems
when handling timestamps after 2038-01-19.
This leads to incorrect timestamp formatting in core dump directory
names (e.g., sleep40s.20380119.031407+0000.598).
Fix by changing 'long timestamp' to 'time_t timestamp' and replacing
strtol() with strtoll() to properly handle 64-bit timestamps on
32-bit systems.
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit b5685fb375ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:15:14 +05:30
199ca0c29d
usb-modeswitch: upgrade 2.6.1 -> 2.6.2
...
0001-Fix-build-with-gcc-15.patch
removed since it's included in 2.6.2
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit dfbe08b6c3ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:15:13 +05:30
5a9ced1fd5
usb-modeswitch-data: upgrade 20191128 -> 20251207
...
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 8f2c436db5ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:15:13 +05:30
650978be5c
libsdl3: upgrade 3.2.26 -> 3.2.28
...
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 26e3ef119bankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:15:12 +05:30
cb3faee20b
liblognorm: upgrade 2.0.7 -> 2.0.8
...
Change log
==========
Version 2.0.8, 2025-12-04
- fix potential segfault on some platforms
Thanks to Julian Thomas for a fix
- fix memory leak when a custom type in rules does not match
Thanks to Meric Sentunali for the fix and Julian Thomas for alerting
me of the missing merge.
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit c627784366ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:15:12 +05:30
6d4fdf7f7e
parallel: upgrade 20251022 -> 20251122
...
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit c9c4b5a887ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:15:12 +05:30
f2c80b13c4
python3-psycopg: upgrade 3.2.12 -> 3.2.13
...
Changelog:
==============
- Show the host name in the error message in case of name resolution error
- Fix Cursor.copy() and AsyncCursor.copy() to hold the connection lock for the
entire operation, preventing concurrent access issues
- Fix GSSAPI check with C extension built with libpq < v16
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 4b297312d7ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:15:11 +05:30
c870a26c00
libcoap: set CVE version suffix
...
CVE metrics currently report CVE-2025-34468 as open.
CPE is <=4.3.5, while recipe version is 4.3.5a which is a higher
version, however by default cve-check only compares numbers.
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:15:11 +05:30
08d81e661e
libsodium: patch CVE-2025-69277
...
Pick patch per [1].
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-69277
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:15:10 +05:30
0d737e1419
net-snmp: patch CVE-2025-68615
...
Pick patch per [1].
[1] https://security-tracker.debian.org/tracker/CVE-2025-68615
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:15:07 +05:30
c6849e7529
python3-django: upgrade 5.2.8 -> 5.2.9
...
Includes fix for CVE-2025-13372 and CVE-2025-64460
Changelog: https://github.com/django/django/blob/5.2.9/docs/releases/5.2.9.txt
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 2538918df1skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:59 +05:30
9a6b60af3e
python3-django: upgrade 4.2.26 -> 4.2.27
...
Contains fix for CVE-2025-13372 and CVE-2025-64460
Changelog: https://github.com/django/django/blob/4.2.27/docs/releases/4.2.27.txt
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit fae6fe9b41skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:58 +05:30
b964b9858b
python3-configobj: ignore CVE-2023-26112
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-26112
The used version (5.0.9) contains the fix[1] already - ignore the CVE.
[1]: https://github.com/DiffSK/configobj/commit/7c618b0bbaff6ecaca51a6f05b29795d1377a4a5
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:58 +05:30
e51133657a
postgresql: upgrade 17.6 -> 17.7
...
It contains fixes for CVE-2025-12817 and CVE-2025-12818.
Changelog:
https://www.postgresql.org/docs/release/17.7/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 8217b90e94skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:57 +05:30
7c1e9999d0
php: upgrade 8.4.15 -> 8.4.16
...
This is a bugfix release, containing fixes for CVE-2025-14177,
CVE-2025-14178 and CVE-2025-14180.
Changelog: https://www.php.net/ChangeLog-8.php#8.4.16
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:57 +05:30
303f5afacf
openvpn: upgrade 2.6.16 -> 2.6.17
...
Contains fix for CVE-2025-13751
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:56 +05:30
925318887e
libwebsockets: fix CVE-2025-11678
...
Backport a fix from Debian:
https://sources.debian.org/patches/libwebsockets/4.3.5-1+deb13u1/CVE-2025-11678.patch
Upstream commit:
https://github.com/warmcat/libwebsockets/commit/2bb9598562b37c942ba5b04bcde3f7fdf66a9d3a
Signed-off-by: Bruno VERNAY <bruno.vernay@se.com >
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit 5fab8bd31bskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:56 +05:30
9570160dae
libwebsockets: fix CVE-2025-11677
...
Backport a fix from Debian:
https://sources.debian.org/patches/libwebsockets/4.3.5-1+deb13u1/CVE-2025-11677.patch
Upstream commit:
https://github.com/warmcat/libwebsockets/commit/2f082ec31261f556969160143ba94875d783971a
Signed-off-by: Bruno VERNAY <bruno.vernay@se.com >
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit da04d7003eskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:55 +05:30
94e21ed9b5
libcoap: ignore CVE-2025-50518
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-50518
The vulnerability is disputed by upstream, because the vulnerability
requires a user error, incorrect library usage. See also an upstream
discussion in a related (rejected) PR: https://github.com/obgm/libcoap/pull/1726
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 598176e1cbskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:55 +05:30
b8127adea4
imagemagick: upgrade 7.1.2-8 -> 7.1.2-12
...
Contains fix for CVE-2025-65955 and CVE-2025-69204.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:54 +05:30
a06ce2aa74
gimp: patch CVE-2025-14425
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14425
Backport the patch referenced by the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 49732c90c0skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:54 +05:30
f9add3e25a
gimp: patch CVE-2025-14424
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14424
Pick the patch referenced by the NVD report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit b16c1a543askandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:53 +05:30
732aa8f936
gimp: patch CVE-2025-14423
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14423
Pick the patch references by the NVD report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 6aa5720e76skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:53 +05:30
b680240a03
gimp: patch CVE-2025-14422
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14422
Pick the patch referenced by the NVD report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit a0b41204afskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:53 +05:30
ed4878b3bc
freerdp3: ignore CVE-2025-68118
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68118
It is a Windows only vulnerability, ignore it.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:52 +05:30
22b7851cde
fetchmail: patch CVE-2025-61962
...
Details https://nvd.nist.gov/vuln/detail/CVE-2025-61962
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit 0d9da11052skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:52 +05:30
0827d22e4c
civetweb: ignore CVE-2025-9648
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-9648
It is already fixed in the currently used version.
Also, update CVE-2025-55763's status to "fixed-version" (so it will be
marked as "Patched" in the CVE report instead of "Ignored")
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit bfb76da63bskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:51 +05:30
670aa709fb
tigervnc: ignore CVE-2025-26594...26601
...
Ignore the following CVEs: CVE-2025-26594, CVE-2025-26595, CVE-2025-26596,
CVE-2025-26597, CVE-2025-26598, CVE-2025-26599, CVE-2025-26600, CVE-2025-26601
Details:
https://nvd.nist.gov/vuln/detail/CVE-2025-26594
https://nvd.nist.gov/vuln/detail/CVE-2025-26595
https://nvd.nist.gov/vuln/detail/CVE-2025-26596
https://nvd.nist.gov/vuln/detail/CVE-2025-26597
https://nvd.nist.gov/vuln/detail/CVE-2025-26598
https://nvd.nist.gov/vuln/detail/CVE-2025-26599
https://nvd.nist.gov/vuln/detail/CVE-2025-26600
https://nvd.nist.gov/vuln/detail/CVE-2025-26601
TigerVNC compiles its own xserver, this is why these CVEs are associated
with it - despite the vulnerabilities being in xserver.
All of these vulnerabilities were fixed by the same PR[1], which has
been part of xserver since version 21.1.16 (the currently used xserver
version in TigerVNC is 21.1.18).
Due to this, ignore these vulnerabilities, and just mark them as patched.
[1]: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 4924e89bb7skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:51 +05:30
62a12a32a8
tigervnc: ignore CVE-2023-6478
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-6478
TigerVNC compiles its own xserver, this is why this CVE is associated
with it - despite the vulnerability being in xserver.
The vulnerability was fixed by [1] (from the nvd report), which has been
backported[2] to the xserver version used by the recipe - so ignore the
CVE, since it's patched already.
[1]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632
[2]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/58e83c683950ac9e253ab05dd7a13a8368b70a3c
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 62a78f8ba7skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:50 +05:30
dc575822b2
tigervnc: ignore CVE-2023-6377
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-6377
TigerVNC compiles its own xserver, this is why this CVE is associated
with it - despite the vulnerability being in xserver.
The vulnerability was fixed by [1] (from the nvd report), which has been
backported[2] to the xserver version used by the recipe - so ignore the
CVE, since it's patched already.
[1]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd
[2]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/a7bda3080d2b44eae668cdcec7a93095385b9652
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit f691f2178bskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:50 +05:30
0be619859e
tigervnc: sync xserver code with oe-core
...
TigerVNC compiles its own xserver. Synchronize the xserver version
with oe-core.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit fadb9c0570skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:49 +05:30
d5f3269b90
tigervnc: fix typo in CVE_STATUS
...
Forgot to add the CVE- prefix in previous patch.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 2f913279d4skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:49 +05:30
e370d2f41f
fio: ignore CVE-2025-10824
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-10824
The upstream maintainer wasn't able to reproduce the issue[1],
and the related bug is closed without further action.
[1]: https://github.com/axboe/fio/issues/1981
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit a275078cbeskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:48 +05:30
c0a63f5222
dovecot: patch CVE-2025-30189
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-30189
Pick the patches referenced by the advisory[1] from the Full Disclosure list.
[1]: https://seclists.org/fulldisclosure/2025/Oct/29
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:48 +05:30
af7857e40c
cups-filters: patch CVE-2025-64524
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64524
Pick the patch mentioned in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 056ee43dd1skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:47 +05:30
6a2e51e989
cifs-utils: patch CVE-2025-2312
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2312
Pick the patch that is referenced by the NVD report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:47 +05:30
1a7e2ac776
c-ares: upgrade 1.34.5 -> 1.34.6
...
Drop memory leak patch which has already been included in this new version.
The new version also includes a fix for CVE 2025-62408.
Changelog: https://github.com/c-ares/c-ares/releases/tag/v1.34.6
Signed-off-by: Jason Schonberg <schonm@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 996768e080skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:46 +05:30
efde0fec54
minio: ignore irrelevant CVEs
...
The minio umbrella covers multiple projects. The recipe itself builds
"minio client", which is a set of basic tools to query data from
"minio server" - like ls, mv, find...
The CVEs were files against minio server. Looking at the go mod list,
this recipe doesn't use minio server even as a build dependency - so ignore
the CVEs.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit df462075beskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-06 18:07:46 +05:30
Liu Yiding
Ankur Tyagi
Wang Mingyu
Gyorgy Sarvari
Khem Raj
Dmitry Baryshkov
Jiaying Song
Peter Marko
Hugo SIMELIERE
Jason Schonberg